CVE-2023-1888 – The Directorist WordPress plugin up to version ... (How to Fix)

Q: What is the severity of CVE-2023-1888?

CVE-2023-1888 has a CVSS score of 8.8 (HIGH). The Directorist WordPress plugin up to version 7.5.4 contains an authentication bypass vulnerability that allows authenticated attackers with subscriber-level permissions or higher to reset any user's password, including administrators. This enables privilege escalation and complete account takeover. Any WordPress site using vulnerable Directorist plugin versions is affected.

📋 TL;DR

The Directorist WordPress plugin up to version 7.5.4 contains an authentication bypass vulnerability that allows authenticated attackers with subscriber-level permissions or higher to reset any user's password, including administrators. This enables privilege escalation and complete account takeover. Any WordPress site using vulnerable Directorist plugin versions is affected.

💻 Affected Systems

Products:

Directorist WordPress Plugin

Versions: Up to and including 7.5.4

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Directorist plugin enabled. Any authenticated user (subscriber role or higher) can exploit this vulnerability.

📦 What is this software?

Directorist by Wpwax

View all CVEs affecting Directorist →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise where attackers gain administrator access, install backdoors, deface websites, steal sensitive data, or use the site for further attacks.

🟠

Likely Case

Attackers gain administrative privileges, modify content, install malicious plugins/themes, or exfiltrate user data.

🟢

If Mitigated

Attackers can only reset passwords of users with equal or lower privileges than their own account.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and the vulnerability requires only subscriber-level access which is easily obtainable.

🏢 Internal Only: MEDIUM - Internal attackers with legitimate subscriber accounts could exploit this, but requires initial access to the WordPress site.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple. Public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.5.5 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2920100/directorist

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Directorist plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 7.5.5+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable Directorist Plugin

all

Temporarily deactivate the vulnerable plugin until patched

wp plugin deactivate directorist

Restrict User Registration

all

Disable new user registration to prevent attackers from obtaining subscriber accounts

Navigate to Settings → General → Membership: Uncheck 'Anyone can register'

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block password reset requests to directorist/login.php
Monitor for suspicious password reset activities and implement strict user role management

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Directorist → Version number. If version is 7.5.4 or lower, you are vulnerable.

Check Version:

wp plugin get directorist --field=version

Verify Fix Applied:

Verify Directorist plugin version is 7.5.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual password reset requests in WordPress logs
Multiple failed login attempts followed by successful password reset
User privilege escalation from subscriber to administrator

Network Indicators:

POST requests to /wp-content/plugins/directorist/login.php with password reset parameters
Unusual traffic patterns to Directorist plugin endpoints

SIEM Query:

source="wordpress.log" AND ("password reset" OR "directorist/login.php") AND status=200

📊 Metadata

CVE ID: CVE-2023-1888

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: June 9, 2023

Last Updated: November 21, 2024

🔗 References

https://plugins.trac.wordpress.org/changeset/2920100/directorist Issue Tracking
https://www.wordfence.com/threat-intel/vulnerabilities/id/01943559-e05b-4dca-b322-d880b2729ee7?source=cve Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2920100/directorist Issue Tracking
https://www.wordfence.com/threat-intel/vulnerabilities/id/01943559-e05b-4dca-b322-d880b2729ee7?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-1888, you might also want to check these: